Related Content

Those affected are urged to call 1- 866-578-5422, to determine if you want to have an online or US mail alert mechanism. For the online service, visit protectmyid.com/scdor The code is: scdor123(For the US Mail service, you will receive notifications via the US mail.)

The S.C. Department of Revenue says 3.6 million Social Security numbers along with 387,000 credit and debit card numbers have been exposed.

The hacker had an international IP address, officials said.

According to State Law Enforcement Division Chief Mark Keel, it could be weeks before the full ramifications of the security breach are known.

"We don’t know what was extracted,” said Keel.

Keel said state officials learned of the problem Oct. 10 although the hacker may have gotten into the files as early as August.

Gov. Nikki Haley said the state is negotiating with Expirion to provide protection and insurance for one year. It’s still unclear what that will cost the state. Haley said the price will be based upon how many people sign up for the service.

Haley said taxpayers have until January to sign up for protection.

Another ripple effect is that the Social Security numbers of minors are on tax forms, so the state will be offering family protection plans.

Haley added that she and her husband Michael had their identities stolen several years ago. She said it took four to five years to get things straightened out. In her case, someone opened a credit card and maxed in out in their name. She said her family did not have the protection the state is now offering.

When asked what happens two years from now when the protection plan expire, Haley said, “I can tell you, the people of South Carolina will be taken care of.”

Protection program available

Of the 387,000 credit cards, the vast majority are protected by strong encryption deemed sufficient under the demanding credit card industry standards to protect the data and cardholders, according to the SCDR. But about 16,000 were unencrypted.

To protect taxpayers, the state will provide those affected with one year of credit monitoring and identity theft protection. Officials emphasized that no public funds were accessed or put at risk.

“On Oct. 10, the S.C. Division of Information Technology informed the S.C. Department of Revenue of a potential cyber attack involving the personal information of taxpayers,” said DOR Director James Etter. “We worked with them throughout that day to determine what may have happened and what steps to take to address the situation. We also immediately began consultations with state and federal law enforcement agencies and briefed the governor’s office.”

Upon the recommendation of law enforcement officials, DOR contracted Mandiant, one of the world’s top information security companies, to assist in the investigation, help secure the system, install new equipment and software and institute tighter controls on access.

The SCDR said that on Oct. 16, investigators uncovered two attempts to probe the system in early September, and later learned that a previous attempt was made in late August. In mid-September, two other intrusions occurred, and to the best of the department’s knowledge, the hacker obtained data for the first time. No other intrusions have been uncovered at this time. On Saturday, the vulnerability in the system was closed and, to the best of the department’s knowledge, secured.

“The number of records breached requires an unprecedented, large-scale response by the Department of Revenue, the State of South Carolina and all our citizens,” said Gov. Nikki Haley. “We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected.”

If affected, the taxpayer can immediately enroll in one year of identity protection service provided by Experian. The call center is open from 9 a.m. to 9 p.m. Monday through Friday. On the weekends it is open from 11 a.m. to 8 p.m.

Experian’s ProtectMyID™ Alert is designed to detect, protect and resolve potential identity theft, and includes daily monitoring of all three credit bureaus. The alerts and daily monitoring services are provided for one year, and consumers will continue to have access to fraud resolution agents and services beyond the first year.

In addition to the Experian service, state officials urged individuals to consider additional steps to protect their identity and financial information, including:

Regularly review credit reports

Place fraud alerts with the three credit bureaus

Place a security freeze on financial and credit information with the three credit bureaus

If credit card information is compromised, the best protection is to have the bank reissue the card. Anyone who has used a credit card in a transaction with the Department of Revenue should check bank accounts regularly to see if any unauthorized charges have occurred. If so, the cardholder should contact the credit card issuer immediately by calling the toll-free number located on the back of the card or on a monthly statement, tell them what you have seen, and ask them to cancel and reissue the card. Consumers should also change any credit card web account passwords immediately when unauthorized charges are detected.

“From the first moment we learned of this, our top priority has been to protect the taxpayers and the citizens of South Carolina, and every action we’ve taken has been consistent with that priority,” Etter said. “We have an obligation to protect the personal information entrusted to us, and we are redoubling our efforts to meet that obligation.”